Extracted firmware of my SBG901 from MX Flash , now how can I extract CERTS?

[dssence]

Hi guys I could finally manage to make the LPT cable work to dump my firmware on the MX memory MX25L6445E, it was sort of complicated cause I had to solder all the cables to each of the legs of the MX flash , and outputs and inputs, but I finally got the flash dump.
total size it's 8,388,608 I'm suspecting it flashed the whole entire MX memory not the firmware area only I don't know if that's right or wrong ,maybe I should have dumped a specific area of the MX flash .
Anyways I'm not that savvy regarding firmware manipulation,and about memory locations .So question is I would like to learn how can I extract the Certificate from the firmware dump I have. Maybe enabling factory mode enabling some hex bit .
I'm going to upload the firmware to mediafire, now big problem the entire dump I have it's 8 megs 8,388,608 bytes in size , by some reason I downloaded another firmware from an sbg901 (SBG901-2.1.3.0-GA-00-256-NOSH-NNDMN.p7) and it's 1,991,313 bytes , so I'm suspecting I just dumped the entire MX flash memory from the fist memory position to the last one.
Anyways , I tried using cmnonexp2mbwin32 which supposedly extracts certificates from BCM3348/BCM3349 chipsets, problem is this modem has a BCM3361 chipset, I ran that app which supposedly rips certificates from 2Mb firmware, but I did find lot's of stuff I'm not quite sure it ripped properly the certs. I'm suspecting that the non-vol memory address location it's in the first 2048Mb of the flash memory so I will try to make a dump of only the first 2048Mb and see if cmnonexp works better. I saw there's another version which it's not limited to 2Mb only bins.. maybe I'm gonna check that one.

This was the research I made myself.






This is is the setup






I'm leaving the link to the full dump of the bin if you can help me out extract the certs

[TheCoder]

Question is, why do you actually want to extract the certs ?

Because they are tied to a specific MAC then as soon as you use the cert/mac pair in multiple locations then it becomes very obvious that not only are you using a cloned modem but also that you've had full access to the original in order to dump it.

So, just wondering what it is your trying to achieve by extracting them.

Anyway, with regards to the flash being 8Meg - there's a few immediate possibilities -

1/ you've set the programmer to the wrong flash type
2/ The flash really is an 8 Meg device but with lots of free space
3/ The flash firmware is very large !

If you stick the firmware into winrar/pkzip etc and it goes very much smaller then chances are the image has lots of free space (or you've repeatly read the device by selecting the wrong flash type). You can probably also tell using a standard hex editor to examine the image file (frhed is free and will do the job).

edit: The device specified is indeed a 67,108,864 bit (8Mbyte) device.
edit2: As the device is a serial flash device its likely that its copied into RAM by some bootloader before anything can be executed (you generally cant exectute anything from serial devices as they are way too slow). If thats the case then its possible the data is in a compressed/encrypted form.

[dssence]

Sup sorry i I took so long to answer but I bought an epc2100r2 and was all night trying to make it work.. no luck

Quote:

Question is, why do you actually want to extract the certs ?
Because they are tied to a specific MAC then as soon as you use the cert/mac pair in multiple locations then it becomes very obvious that not only are you using a cloned modem but also that you've had full access to the original in order to dump it.
So, just wondering what it is your trying to achieve by extracting them.
Because they are tied to a specific MAC then as soon as you use the cert/mac pair in multiple locations then it becomes very obvious that not only are you using a cloned modem but also that you've had full access to the original in order to dump it.
So, just wondering what it is your trying to achieve by extracting them.

Well cause I wanted to add a second connection to the one I already have basically. and I wanted to try other certs people exchange in a local forum with working configs and see how it goes

yep I'm using a working modem already I did dump the whole flash of the modem using some sort of Flash reader I didn't want to buy buspirate or busblaster to read the MX flash SPI chip, so I built my own from a guys page with an LPT cable and some resistors.. using SPIPGM program, worked as charm. It detected the MX memory chip properly and dumped everything. So yes the memory dump is valid.

Quote:

Anyway, with regards to the flash being 8Meg - there's a few immediate possibilities -

1/ you've set the programmer to the wrong flash type
2/ The flash really is an 8 Meg device but with lots of free space
3/ The flash firmware is very large !

If you stick the firmware into winrar/pkzip etc and it goes very much smaller then chances are the image has lots of free space (or you've repeatly read the device by selecting the wrong flash type). You can probably also tell using a standard hex editor to examine the image file (frhed is free and will do the job).

edit: The device specified is indeed a 67,108,864 bit (8Mbyte) device.
edit2: As the device is a serial flash device its likely that its copied into RAM by some bootloader before anything can be executed (you generally cant exectute anything from serial devices as they are way too slow). If thats the case then its possible the data is in a compressed/encrypted form.

Yep you're right it's an MX flash memory correct size I dumped it nicely. I know there's a TSOP memory chip around 256MB DDR2 near the CPU which might be used to decompress everything there, which is a BCM3361 didn't find any datasheet for it really locked to the knees no information whatsoever. Not quite sure the dump from the flash it's encrypted I used a hexeditor and there's stuff easily read and understood.

But now comes the huge problem I bought a webstar epc2100r2 (supposedly that's what said on the case ) I opened it and had a BCM3349 flashed it with latest haxorware. and tried the following combinations of configs with the certs I had from my SBG 901 but it's not working. Question is does it really matter at the time of extracting the certs of the working modem, the modem being cloned has to have the same exact CPU of the source modem? , cause my source working connection modem has a BCM3361 and the webstar to clone which I have haxorware has a BCM3349, I don't think so but..
so anyways these are the logs from haxorware.. see if you can help me out or any ideas..


- Config with baseline_bpi_bypass
http://pastebin.com/bnMkGTyu

- Config with Baseline Docsis 1.1 using nonvol1 certs
http://pastebin.com/EFecZq4e

-Config with Baseline Docsis 1.1 using nonvol2 certs
http://pastebin.com/JG9bCMjG

- Config with baseline disabled.
http://pastebin.com/bxmpqmyE

you can see that I got TLV-11 Unrecognized OID in both BPI-docsis1.1 but I don't have an IP assigned.. I checked at some forums and TLV-11 said it had to do that the MAC address is of another manufacturer. I don't know what's going on the certs seem to be fine. what else could be wrong.
This is the link of the Certs extracted with cmnonxp2mb, http://www.mediafire.com/?w2dx4x2s5d5771f maybe it helps you can check them out.

[dssence]

Just realised something .. I was comparin strings .. and came across this

[TheCoder]

The certificates will likely be tied to the MAC and possibly to some hardware serial number (The broadcom processors now all have built in unique serial numbers which cant be modified) so chances are you cant just dump them on some 'foreign' hardware. The certs themselves will also be digitally signed so you cannot in any way change them.

The problem with swapping them is that its very obvious to VM what has occured. Its not like MAC swapping where you can extract new Macs from the air. Certificate swapping guarantees that somebody has had unauthourised hardware access to a particular modem. If VM see a modem obviously logging in from multiple locations then they will start to look at the modem 'owner' very carefully indeed !

btw, the serial number displayed in the certifcate menu's are in hex whilst the information label is printed in decimal. Not sure if they are actually the same though as my calculator doesn't handle numbers that large !

[dssence]

Quote:

The certificates will likely be tied to the MAC and possibly to some hardware serial number (The broadcom processors now all have built in unique serial numbers which cant be modified) so chances are you cant just dump them on some 'foreign' hardware. The certs themselves will also be digitally signed so you cannot in any way change them.

So what you're saying is that If extracted the certs from my SBG901 Broadcomm 3361 chipset and wanted to use them on the webstar which has a Broadcomm 3349 they won't be compatible? did you see the logs ?

[TheCoder]

Quote:

Originally Posted by dssence

So what you're saying is that If extracted the certs from my SBG901 Broadcomm 3361 chipset and wanted to use them on the webstar which has a Broadcomm 3349 they won't be compatible? did you see the logs ?

What i'm saying is that if the firmware writers do it properly them the certs would be locked to one single modem only. Thats because most of the broadcom (and others these days) now have a unique serial number embedded into each and every processor and the certs should be matched to that unchangeable serial number !

Fortunately for you, a lot of the older modems dont seem to of properly done this locking so it is possible to do a full 'clone' however, its still pretty pointless because of the problems I mention above. Cert cloning is enough to point to the registered modem owner as being involved in the cloning operation simply because certs cannot be remotely extracted.

[dssence]

Well basically I just wanted to clone mine to a dpc just to have 2 connections that's all , do you know somethin about cmnonvol to extract certs.. I managed to get the nonvol but by some reason I'm getting this error on haxor ..
tlv-11 unrecognized oid, which supposedly it's about bpi security .. I'm not quite sure what's up with the certs .. is there any chance you could see the certs and see if they're right?

[mickmc68]

Quote:

Originally Posted by dssence

Well basically I just wanted to clone mine to a dpc just to have 2 connections that's all , do you know somethin about cmnonvol to extract certs.. I managed to get the nonvol but by some reason I'm getting this error on haxor ..
tlv-11 unrecognized oid, which supposedly it's about bpi security .. I'm not quite sure what's up with the certs .. is there any chance you could see the certs and see if they're right?

Hi m8 even if u do a perfect 1 to 1 clone u wont be able to use both in the same area , never mind the same house

Mick

[TheCoder]

Indeed you cant. You cant use the same MAC in the same UBR region - both modems would just yo-yo as they userped the connection from the other modem.

If a 2nd connection is all thats required, then you need to get a standard modem working on the old overlay (ie low speed, 20Meg or less) and simply clone a MAC from an adjoining area. Forget all about certificates - they lead to nothing but trouble !